nmap is a security scanner capable of mapping topology, discovering hosts, determining OS and device profiles, examining individual services, and exposing vulnerabilities across networks. It’s licensed under the GPL and binaries are available for most platforms. A graphical frontend called Zenmap is available in most Linux repos.
More specifically, nmap sends ICMP Echo (type 0), ICMP Timestamp Request (type 13), TCP SYN, and TCP ACK packets to specified individual systems or network address ranges. As nmap discovers active or listening devices, nmap examines their open ports, places them into one of six categories — open, closed, filtered, unfiltered, open/filtered, and closed/filtered — and attempts to identify the services or software running on them. All default behavior can be modified using nmap’s command-line switches. See the official nmap documentation and IP protocol RFC sourcebook for further discussion. nmap is a useful pen-testing tool as it includes a scripting engine and is capable of sending intentionally malformed or fragmented packets, performing decoy scans, and falsifying source ports, IP and MAC addresses for IDS and firewall evasion.
Some Common nmap Options
Usage is nmap options hostname-or-IP-range
| Option | Purpose |
|---|---|
| -A | Enable OS detection, version detection, script scanning, and traceroute |
| –exclude-ports port range | Don’t scan the listed port range, e.g., –exclude-ports 0-255 |
| -F | Fast mode, scans the 100 busiest ports for each protocol listed in the nmap-services file; default is 1,000 |
| -O | Enable OS detection |
| -oN/X/S/G/A filename | Specify output format to save results: -oN=normal, -oX=XML, -oS=script kiddie (for the l33+ h4X0r), -oG=grep-able, -oA=all |
| -Pn | Don’t perform host discovery/ping scan, and assume all hosts are online; default is host discovery enabled with ICMP Echo/Timestamp Request/TCP SYN/TCP ACK packets |
| -p port-range | Specify a port range, e.g., -p 1-65535 to scan all TCP ports |
| -sn | Disable port scan, only perform host discovery/ping scan |
| -sS or -sA | TCP SYN or TCP ACK scan (SYN is default) |
| -sU | UDP scan |
| -sV | Probe open ports to determine service/version details |
| -T0-5 | Set timing template; higher is more aggressive; default is 3 (“normal”); 4 recommended in most cases |
| –traceroute | Perform a post-scan route trace to host using the scan results to determine which port/protocol are most likely to reach the target (if you just want to see a multi-hop traceroute as on Unix-like OSes, use -sn -Pn –traceroute) |
| -v | Increase verbosity of results, use -vv for greater verbosity |
| –version-intensity 0-9/light/all/trace | Service/version detection intensity from light to all (0-9)/limit to most likely (intensity 2)/all (9)/show detailed version scan activity |
Some nmap Examples
Verbose aggressive scan of a single host with traceroute, OS and service detection:
$ nmap -T4 -A -v myserver.com
Same as above, but also scan UDP ports:
$ nmap -sS -sU -T4 -A -v myserver.com
Scan some common TCP ports:
$ nmap -p 22,25,80,143,443,587,993,995 -T4 -A -v myserver.com
Skip host discovery:
$ nmap -p 22,25,80,143,443,587,993,995 -T4 -A -v -Pn myserver.com
Perform normal host discovery plus traceroute:
$ nmap -sn --traceroute myserver.com
Find and enumerate potential web servers among the 256 possible IP addresses in the given network (IPv4 CIDR notation), then attempt to identify the specific application running on ports 80/443:
$ nmap -sV -p 80,443 169.237.50.0/24
Same as above, but skip host discovery/ping scan, and save the results in XML and grep-able formats:
$ nmap -sV -Pn -p 80,443 -oX /home/me/webservers.xml -oG /home/me/webservers.gnmap 255.255.255.0/24
